Summary
While testing the CDRReport module in Issabel PBX, several issues were identified affecting:
stability (HTTP 500 errors)
compatibility with modern PHP versions
SQL handling and security
frontend error handling
🧪 Environment
Issabel PBX: (specify your version)
PHP: (e.g. 7.x / 8.x)
Database: MySQL/MariaDB
Module: cdrreport
🐛 Issue 1: HTTP 500 when deleting CDR records
🔍 Description
Deleting CDR records from the web interface triggers:
POST /index.php 500 (Internal Server Error)
💥 Root Cause
Function borrarCDRs() calls _construirWhereCDR() with insufficient arguments:
list($sWhere, $paramSQL) = $this->_construirWhereCDR($param);
But the function requires two parameters.
✅ Fix
- list($sWhere, $paramSQL) = $this->_construirWhereCDR($param);
- list($sWhere, $paramSQL) = $this->_construirWhereCDR($param, false);
🐛 Issue 2: Deprecated function mysql_real_escape_string
🔍 Description
The code uses:
mysql_real_escape_string()
💥 Impact
Deprecated and removed in modern PHP versions
Causes fatal errors in PHP 7+
📍 Location
/var/www/html/libs/paloSantoCDR.class.php
✅ Fix (recommended)
Replace manual SQL construction:
$condSQL[] = 'uniqueid IN ('' . $uniques . '')';
With parameterized query:
$condSQL[] = 'uniqueid IN (' . implode(',', array_fill(0, count($uniques), '?')) . ')';
$paramSQL = array_merge($paramSQL, $uniques);
🐛 Issue 3: Unsafe SQL construction
🔍 Description
SQL is built via string concatenation.
💥 Risks
SQL Injection
malformed queries
inconsistent behavior
💡 Recommendation
Use prepared statements consistently across the module.
🐛 Issue 4: AJAX delete lacks error handling
🔍 Description
Frontend JavaScript does not handle AJAX errors.
📍 File
/modules/cdrreport/themes/default/js/javascript.js
❌ Current code
$.ajax({
url:'./index.php',
type: 'post',
...
})
✅ Suggested improvement
error: function(xhr) {
alert("Error: " + xhr.responseText);
}
⚠️ Issue 5: Missing language file (404)
🔍 Error
/modules/cdrreport/lang/datatables.en.json 404 (Not Found)
💥 Impact
Missing UI translations
console errors
💡 Recommendation
include missing file
or validate language before loading
⚠️ Issue 6: Inconsistent parameter handling (UIDsList)
🔍 Description
Frontend sends:
UIDsList: "id1,id2,id3"
Backend parses using:
preg_split("/,/", $param['uniqueid'])
⚠️ Problem
Not clearly documented
fragile parsing logic
💡 Recommendation
accept structured arrays instead of comma-separated strings
validate input format
🚀 General Recommendations
Backend
remove deprecated mysql_* functions
enforce parameterized queries
validate function arguments
Security
avoid direct SQL concatenation
sanitize inputs consistently
Frontend
add proper AJAX error handling
improve user feedback
Maintainability
refactor legacy code
standardize coding practices
🏁 Conclusion
These issues affect:
system stability (HTTP 500 errors)
compatibility with modern PHP versions
security (SQL handling)
user experience
Applying the fixes above resolves:
✔ CDR deletion errors
✔ PHP compatibility issues
✔ SQL safety concerns
✔ frontend feedback problems
Summary
While testing the CDRReport module in Issabel PBX, several issues were identified affecting:
stability (HTTP 500 errors)
compatibility with modern PHP versions
SQL handling and security
frontend error handling
🧪 Environment
Issabel PBX: (specify your version)
PHP: (e.g. 7.x / 8.x)
Database: MySQL/MariaDB
Module: cdrreport
🐛 Issue 1: HTTP 500 when deleting CDR records
🔍 Description
Deleting CDR records from the web interface triggers:
POST /index.php 500 (Internal Server Error)
💥 Root Cause
Function borrarCDRs() calls _construirWhereCDR() with insufficient arguments:
list($sWhere, $paramSQL) = $this->_construirWhereCDR($param);
But the function requires two parameters.
✅ Fix
🐛 Issue 2: Deprecated function mysql_real_escape_string
🔍 Description
The code uses:
mysql_real_escape_string()
💥 Impact
Deprecated and removed in modern PHP versions
Causes fatal errors in PHP 7+
📍 Location
/var/www/html/libs/paloSantoCDR.class.php
✅ Fix (recommended)
Replace manual SQL construction:
$condSQL[] = 'uniqueid IN ('' . $uniques . '')';
With parameterized query:
$condSQL[] = 'uniqueid IN (' . implode(',', array_fill(0, count($uniques), '?')) . ')';
$paramSQL = array_merge($paramSQL, $uniques);
🐛 Issue 3: Unsafe SQL construction
🔍 Description
SQL is built via string concatenation.
💥 Risks
SQL Injection
malformed queries
inconsistent behavior
💡 Recommendation
Use prepared statements consistently across the module.
🐛 Issue 4: AJAX delete lacks error handling
🔍 Description
Frontend JavaScript does not handle AJAX errors.
📍 File
⚠️ Issue 5: Missing language file (404)
⚠️ Issue 6: Inconsistent parameter handling (UIDsList)
/modules/cdrreport/themes/default/js/javascript.js
❌ Current code
$.ajax({
url:'./index.php',
type: 'post',
...
})
✅ Suggested improvement
error: function(xhr) {
alert("Error: " + xhr.responseText);
}
🔍 Error
/modules/cdrreport/lang/datatables.en.json 404 (Not Found)
💥 Impact
Missing UI translations
console errors
💡 Recommendation
include missing file
or validate language before loading
🔍 Description
Frontend sends:
UIDsList: "id1,id2,id3"
Backend parses using:
preg_split("/,/", $param['uniqueid'])
⚠️ Problem
Not clearly documented
fragile parsing logic
💡 Recommendation
accept structured arrays instead of comma-separated strings
validate input format
🚀 General Recommendations
Backend
remove deprecated mysql_* functions
enforce parameterized queries
validate function arguments
Security
avoid direct SQL concatenation
sanitize inputs consistently
Frontend
add proper AJAX error handling
improve user feedback
Maintainability
refactor legacy code
standardize coding practices
🏁 Conclusion
These issues affect:
system stability (HTTP 500 errors)
compatibility with modern PHP versions
security (SQL handling)
user experience
Applying the fixes above resolves:
✔ CDR deletion errors
✔ PHP compatibility issues
✔ SQL safety concerns
✔ frontend feedback problems